Tetrate announced that
Container Network Interface (CNI) network policies can be automatically
generated from layer 7 application-level policies with Tetrate
Service Bridge (TSB). The new feature prevents potential problems by proactively
facilitating consistency and avoiding complications with a single product that
consistently enforces layer 7 (L7) and layer 4 (L4) security policies. The TSB
automatic network policy generation feature operates in accordance with
recommendations from NIST
SP 800-207A A Zero Trust Architecture Model for Access Control in Cloud-Native
Applications in Multi-Cloud Environments. This is especially important for highly
regulated industries.
Container
Network Interface plugins such as Cilium and Calico are open source,
cloud-native solutions for providing, securing and observing network
connectivity between workloads. Enforcing consistency of security rules between
L4 and L7 can become confusing to coordinate when large teams or multiple teams
are working on an application stack. There is a risk that network layer (L4)
and application layer (L7) security policies may conflict with each
other.
Traditional
zero trust policy enforcement takes a fragmented and reactive approach. For
example, when an organization is implementing zero trust-denying all traffic by
default-they often struggle with continual policy mismatches due to conflict
between L7 and L4 policies. This then results in developers repeatedly asking
when their microservices will be able to connect, while ops keeps trying to
make changes to the configuration. This mismatch results in the organization
spending time coordinating people and priorities across technologies and
environments to figure out where the conflicts are instead of creating software
to solve business problems. TSB directly addresses this problem.
TSB
takes a unified and proactive approach to zero trust by preventing
discrepancies between L4 and L7 policies and addressing the root of the problem
by:
- translating L7 service level
policies to L4 level
- delivering users a recommendation
when conflicting rules occur
- facilitating a security decision by
the operator
- enabling the operator to use the
generated policy as a reference check for consistency
This
capability offers TSB users greater visibility and control, aiding operators in
making a decision when inconsistencies show up. It reduces potential conflicts
between L4 and L7 enforcement, and it delivers greater predictability and
consistency in how network policies are managed across a complex enterprise
cloud environment.
"One
of the primary benefits of open source service mesh like Istio is its ability
to deliver a zero trust architecture that's codified by standards bodies like
NIST," said David Wang, head of product at Tetrate. "By automatically
generating network layer policies in TSB, we put our platform team users in the
driver seat with a proactive posture and simplified the means to manage
security policies between layer 4 and layer 7. Throughout 2023, we've been
adding more and more capabilities to support our rapidly growing enterprise
user base. This capability is just the most recent example of that commitment."